27 comments

[ 3.2 ms ] story [ 72.8 ms ] thread
TextSecure user, and I can verify this as accurate.

When I first saw the stagefright bug, I looked for a way to disable MMS in the app. There is no way to disable MMS in the app, so I had a friend MMS me a message, and I got the warning as the post describes.

Feel free to test it out for yourself, but it was nice to see that TextSecure, by its nature, is secure from this bug through design.

"Feel free to test it out for yourself, but it was nice to see that TextSecure, by its nature, is secure from this bug through design."

My take based on Moxie's comment. Good design.

I don't think a popup warning is much protection. Most people really want to see that picture that they think they just received.
(comment deleted)
The kind of folks running TextSecure have already made an effort to install a replacement messaging application, hopefully this helps them also pay attention to the warning.

If nothing else it'll slightly slow down a worm utilising this exploit...

It mitigates the worst part of the threat: An exploit that happens without any user involvement.
First of all, TextSecure does display pictures in MMS. It just doesn't call out to stagefright to do so. I've never recieved a video message, so don't know how that works.

Second of all, the difference between a 0-click infection and a 1-click infection is huge in terms of time it takes for a worm to spread.

As a digital and security training for human rights defenders and journalists all over the world - this is one of the reasons why I try as hard as possible to push the awesome work of the WhisperSystems team and Moxie.
(comment deleted)
Err wow I didn't think me raising an issue on Github would put me on the frontpage of HN. But I am glad to see that they handle this well by default - another reason why I will be keeping it!
I wonder if this also affects Telegram as well?
From what I've seen, the bug doesn't affect iOS devices, so while I have no idea whether the behavior between TextSecure and Telegram is the same, iOS isn't vulnerable either way.
I'm assuming glokon means Telegram for Android.
Well color me ugly. I didn't know that existed.
I believe you have to click to load the videos (data saver). But that might just be old/archived-ish videos.
If I'm running Android without TextSecure, how do I mitigate this?
Install TextSecure.

Alternately, disable MMS auto-processing.

Why wouldn't you be running TextSecure?
No one I know uses it or will use it. Is there another reason I should?
Even if your friends don't yet use TextSecure, you can still send / receive messages with them; when they do (if they do) get TextSecure, then messages can be encrypted -- until then, they will be as insecure [and with privacy issues] as normal default messaging.

So, what do you lose if you use TextSecure ... even if your friends don't or won't use it? What is the problem?

This is a great example of where usability and security meet. Auto downloading MMS messages is certainly much nicer from a UX perspective. However it can lead to bugs as we are witnessing.

I think they struck a good medium.

(comment deleted)